US20060294194A1 - Access control list checking - Google Patents

Access control list checking Download PDF

Info

Publication number
US20060294194A1
US20060294194A1 US11159928 US15992805A US2006294194A1 US 20060294194 A1 US20060294194 A1 US 20060294194A1 US 11159928 US11159928 US 11159928 US 15992805 A US15992805 A US 15992805A US 2006294194 A1 US2006294194 A1 US 2006294194A1
Authority
US
Grant status
Application
Patent type
Prior art keywords
system
access control
control list
application
method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US11159928
Other versions
US7475138B2 (en )
Inventor
Marc Graveline
Ulf Viney
Matt Masson
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Palo Alto Networks Inc
Original Assignee
Cognos Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • H04L63/101Access control lists [ACL]

Abstract

Method and system for dynamically checking an access control list during the data transfers between a client web browser and a web server. The method and system allow checking of access control list by an application firewall, independent from the web application. The rules, upon which the checking is based, can be easily updated without affecting the web application.

Description

    FIELD OF INVENTION
  • The present invention relates to web application. More specifically, the present invention relates to web application security.
  • BACKGROUND OF THE INVENTION
  • The Internet is by far the largest, most extensive publicly available network of interconnected computer networks that transmit data by packet switching using a standardized Internet Protocol (IP) and many other protocols. The Internet has become an extremely popular source of virtually all kinds of information. Increasingly sophisticated computers, software, and networking technology have made Internet access relatively straightforward for end users. Applications such as electronic mail, online chat and web browser allow the users to access and exchange information almost instantaneously.
  • The World Wide Web (WWW) is one of the most popular means used for retrieving information over the Internet. WWW can cope with many types of data which may be stored on computers, and is used with an Internet connection and a web browser. The WWW is made up of millions of interconnected pages or documents which can be displayed on a computer or other interface. Each page may have connections to other pages which may be stored on any computer connected to the Internet. Uniform Resource Identifiers (URI) is an identifying system in WWW, and typically consists of three parts: the transfer format (also known as the protocol type), the host name of the machine which holds the file (may also be referred to as the web server name) and the path name to the file. The transfer format for standard web pages is Hypertext Transfer Protocol (HTTP). Hyper Text Markup Language (HTML) is a method of encoding the information so it can be displayed on a variety of devices.
  • HTTP is the underlying transactional protocol for transferring files (text, graphic images, sound, video, and other multimedia files) between clients and servers. HTTP defines how messages are formatted and transmitted, and what actions web servers and browsers should take in response to various commands. A web browser as an HTTP client, typically initiates a request by establishing a TCP/IP connection to a particular port on a remote host. An HTTP server monitoring that port waits for the client to send a request string. Upon receiving the request string (and message, if any), the server may complete the protocol by sending back a response string, and a message of its own, in the form of the requested file, an error message, or any other information. Web pages regularly reference to pages on other servers, whose selection will elicit additional transfer requests. When the browser user enters file requests by either “opening” a web file by typing in a Uniform Resource Locator (URL), or clicking on a hypertext link, the browser builds an HTTP request. In actual applications, web clients may need to be distinguished and authenticated, or a session which holds a state across a plurality of HTTP protocols may need to be maintained by using “state” called cookie.
  • An HTTP request may have following syntax: http://hostname/path?query
  • The hostname may be the name or IP address of a server, optionally followed by a colon and a port number. It may further include information on username and password for authenticating to the server. The path is a specification of a location in some hierarchical structure, using a slash (“/”) as delimiter between components, for example, “/directory/subdirectory/file”. The query part is typically intended to express parameters of a dynamic query to some database residing on the server, for example “?search=business”.
  • To respond to the request from a web browser, Common Gateway Interface (CGI) programs may be run on the web server. CGI is a specification for transferring information between a web server and a web browser. Other interface may include ISAPI (Internet Service Application Programming Interface), an application programming interface (API) for Microsoft's Internet Information Server (IIS), The request from the web server may also pass-through a web server and reach the web application directly
  • Dynamic feedback for web browser clients can also be provided to include scripts or programs that execute on the user's machine rather than on the web server, for example by way of Java applets, Javascript™, or ActiveX™ controls.
  • To determine the appropriate capability or permissions a web user can read from, write to or execute a given object in a web application, an Access Control List (ACL) can be implemented. An access control list may be in the form of a table, containing entries that specify individual user or group rights to specific objects, such as a program, a file directory, or a file.
  • An elevation of privilege is a term for a type of security vulnerability that allows a user to get more permissions than normally assigned, sometimes by using malicious means. For example, in a successful elevation of privilege attack, a malicious user manages to get administrative privileges to the web application, enabling the attacker to take control over web application. Elevation of privilege vulnerabilities may also include inadvertent security violations, e.g. the client application is able to access a service for which they are not authorized because the web application fails to implement the properly security checks.
  • Implementations of access control list may be complex as access control list applies to objects, directories, and for the objects and the sub directories within the directories. When an elevation of privilege is found, web application security may be compromised. To ensure the security of the web application, either the entire request may need to be blocked, or fixed through the change of the web application's architecture, which tend to be time consuming and complex.
  • US Application 20050015674 describes a portable access control list (PACL) model. The PACL is a global representation of the access control list including a tuple of identifiers, permissions and/or actions, and application rules. The portable ACL model is a superset of all existing identifiers, permissions, and actions. However, the PCAL does not provide a solution to provide security for release of web applications on a web server, nor does it check with a remote system.
  • US Application 20040193906 describes a system for use in a network implementing service applications. The system has an access control list with sets of associated client identification and destination service identification. The system analyzes an incoming service-access request, for source identification associated with a source of the service-access request; and destination service identification associated with an intended destination of the server-access request; the identification is based on service address and port number. The system then determines whether indicia of the source identification and of the destination service identification from the service-access request is included in the access control list in a manner that indicates that the source of the service-access request is authorized for access to a service associated with the destination service identification. While elevation of privilege violations, either inadvertent or malicious, may be avoided. This system is based on pairings of client-application combinations and services.
  • Similarly, US Application 20040064721 describes a namespace management module utilizing a persistent reservation store that associates URI namespaces with one or more permissions. The reservation store can contain a number of reservation entries that each include a URI identifying a URI namespace and a corresponding access control list that includes permissions for the identified URI namespace. When a request to register a URI namespace is received, the permissions of an appropriate access control list can be checked to determine if the registration is approved. When a resource request is received, permissions of the access control lists can also be checked to determine if the resource request should be routed to a registered process. The disclosed method only look at different web applications in different locations, it does not check the permission inside an application. This method also does not utilize rule based syntax, relying on an external system to register URI namespaces with the application.
  • Therefore, there is a need for an improved method and system to provide security to web applications. More specifically, there is a need to provide a method and system to dynamically check the permission and capability in an access control list (ACL) independently of the web application.
  • SUMMARY OF THE INVENTION
  • According to one aspect of the present invention there is provided a method of checking an access control list for a web application comprising the steps of: receiving a request from a web client; parsing the request to an application firewall; said application firewall having a rule and residing independently of the web application, said rule having syntax to identify a parameter in the request; checking the received request based on said rule; allowing the received request passing through the application firewall upon matching the rules; and checking the access control list with an authentication provider.
  • According to another aspect of the present invention there is provided a computer software product for checking an access control list for a web application comprising: a memory having microcontroller-readable code embedded therein for checking an access control list for a web application, said code comprising: code means for receiving a request from a web client; code means for parsing the request to an application firewall, said application firewall having a rule and residing independently of the web application, said rule having syntax to identify a parameter in the request; code means for checking the received request based on said rule; code means for allowing the received request passing through the application firewall upon matching the rules; and code means for checking the access control list with an authentication provider.
  • According to another aspect of the present invention there is provided a system for checking an access control list for a web application, comprising: means for receiving a request from a web client; means for parsing the request to an application firewall, said application firewall having a rule and residing independently of the web application, said rule having syntax to identify a parameter in the request; means for checking the received request based on said rule; means for allowing the received request passing through the application firewall upon matching the rules; and means for checking the access control list with an authentication provider.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • These and other features of the invention will become more apparent from the following description in which reference is made to the appended drawings wherein:
  • FIG. 1 shows a generic computing environment in which the present invention may be implemented;
  • FIG. 2 shows a generic overview of a web application environment;
  • FIG. 3 shows examples of firewalls in relation to the OSI model;
  • FIG. 4 shows examples of relationships between web clients and web applications;
  • FIG. 5 a shows example a web browser with a fill-out form;
  • FIG. 5 b shows a query originated from the fill-out form;
  • FIG. 5 c shows an example of a query URL;
  • FIG. 6 illustrates client web browsers with different privileges, and an example of elevation of privilege;
  • FIG. 7 depicts an embodiment of an application firewall in collaboration with an access control list checking;
  • FIG. 8 a illustrates the steps of checking access control list;
  • FIG. 8 b shows an example of a check performed at step 828 in FIG. 8 a;
  • FIG. 9 is an example of capability checking; and
  • FIG. 10 is an example of permission checking.
  • DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT
  • Reference will now be made in detail to some specific embodiments of the invention including the best modes contemplated by the inventors for carrying out the invention. Examples of these specific embodiments are illustrated in the accompanying drawings. While the invention is described in conjunction with these specific embodiments, it will be understood that it is not intended to limit the invention to the described embodiments. On the contrary, it is intended to cover alternatives, modifications, and equivalents as may be included within the spirit and scope of the invention as defined by the appended claims. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. The present invention may be practiced without some or all of these specific details. In other instances, well known process operations have not been described in detail in order not to unnecessarily obscure the present invention.
  • In this specification and the appended claims, the singular forms “a,” “an,” and “the” include plural reference unless the context clearly dictates otherwise. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood to one of ordinary skill in the art to which this invention belongs.
  • FIG. 1 and the following discussion are intended to provide a brief general description FIG. 1 illustrates a block diagram of a suitable computing environment in which a preferred embodiment of the present invention may be implemented.
  • Those skilled in the art will appreciate that the invention may be practiced with many computer system configurations, including personal computers, hand-held devices, multi-processor systems, microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers and the like. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.
  • Although not required, the invention will be described in the general context of computer-executable instructions, such as program modules, being executed by a personal computer. Generally, program modules include routines, programs, objects, components, data structures and the like that perform particular tasks or implement particular abstract data types.
  • With reference to FIG. 1 an exemplary system 100 for implementing the invention may be, for example, one of the general purpose computers. The system 100 includes processor 102, which in the exemplary embodiment are each connected to cache memory 104, the cache 104 is connected in turn to a system bus 106 that couples various system components.
  • Also connected to system bus 106 are a system memory 108 and a host bridge 110. Host bridge 110 connects I/O bus 112 to system bus 106, relaying and/or transforming data transactions from one bus to the other. The system bus 106 and the I/O bus 112 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. The system memory includes read-only memory (ROM) 114 and random access memory (RAM) 116. A basic input/output system 118 (BIOS), containing the basic routines that help to transfer information between elements within the personal computer 100, such as during start-up, is stored in ROM 114.
  • In the exemplary embodiment, the system 100 may further include a graphics adapter 120 connected to I/O bus 112, receiving user interface information for display device 122. A user may enter commands and information into the system 100 through input devices 130 such as a conventional mouse, a key board 130, or the like. Other input devices 134 may include a microphone, joystick, game pad, satellite dish, scanner or the like. The devices may be connected via an Industry Standard Architecture (ISA) bridge 126, or a Universal Serial Bus (USB) bridge 132 to I/O bus 112, respectively. PCI device such as a modem 138 may be connected to the I/O bus 112 via PCI bridge 136.
  • The exemplary system 100 may further include a hard disk drive 124 for reading from and writing to a hard disk, connected to the I/O bus via a hard disk interface 140, and an optical disk drive 142 for reading from or writing to a removable optical disk 144 such as a CD-ROM or other optical media. The hard disk drive 124, magnetic disk drive 28, and optical disk drive 142 may be connected to the I/O bus 112 by a hard disk drive interface 140, and an optical drive interface 146, respectively. The drives and their associated computer-readable media provide non-volatile storage of computer readable instructions, data structures, program modules and other data for the system 100. Although the exemplary environment described herein employs a hard disk 124 and a removable optical disk 144, it should be appreciated by those skilled in the art that other types of computer readable media which can store data that is accessible by a computer, such as magnetic cassettes, flash memory cards, digital video disks, Bernoulli cartridges, random access memories (RAMs), read-only memories (ROMs) and the like may also be used in the exemplary operating environment.
  • A number of program modules may be stored on the hard disk 124, optical disk 144, ROM 118 or RAM 116, including an operating system 148, one or more application programs 150, other program modules 152 and program data 154.
  • The exemplary system 100 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computer 156. The remote computer 156 may be another personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the exemplary system 100. The logical connections depicted in FIG. 1 include a network 158, for example, a local area network (LAN) or a wide area network (WAN). Such networking environments are commonplace in offices, enterprise-wide computer networks, Intranets and the Internet.
  • When used in a networking environment, the exemplary system 100 is connected to the local network 158 through a network interface or adapter 160. The exemplary system 100 may use the modem 138 or other means for establishing communications 162 over a wide area network such as the Internet. In a networked environment, program modules depicted relative to the exemplary system 100, or portions thereof, may be stored in the remote memory storage device. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.
  • The exemplary embodiment shown in FIG. 1 is provided solely for the purposes of explaining the invention and those skilled in the art will recognize that numerous variations are possible, both in form and function. For instance, the exemplary system 100 may also include a magnetic disc drive, and numerous other optional components. All such variations are believed to be within the spirit and scope of the present invention. The exemplary system 100 and the exemplary figures below are provided solely as examples for the purposes of explanation and are not intended to imply architectural limitations. In fact, this method and system can be easily adapted for use on any programmable computer system, or network of systems, on which software applications can be executed.
  • FIG. 2 provides an overview of a network 210 with a firewall 216 separating the web application 218 with the client browser 240 on a computer 212 over a public network 214 such as Internet. The web server 217 generally monitors the requests 220 from a web browser 240 to a web application 218. The web server 217 may include a firewall 216. The web application 218 may be a business reporting engine.
  • Referring to FIG. 3, one type of firewalls 216 is the network layer firewall 324 operating at the TCP/IP protocol stack as IP-packet filters, allowing packets to pass through the firewall only when they match the rules. The rules could be defined by the user; or by default. Network firewalls exist in most computer operating system and network appliances. Network firewalls deal with the numerous possible combinations that are to be allowed and forbidden at the transmission control protocol (TCP) and Internet protocol (IP) level.
  • Another type of firewall is an application layer firewall operating at the application layer of a protocol stack. It may be a host using a proxy server or gateway, or a module embedded within an application. The purpose of an application firewall is to proxy traffic instead of routing it. As it works at the application layer, it may be configured to inspect the contents of the traffic, blocking what the firewall administrator views as inappropriate content, such as invalid request or attempts to exploit logical flaws in the application. The application firewall may be configured by a set of predetermined rules that are read at the time of startup.
  • In business intelligence applications, a report engine (RE) may need to communicate with remote users or services. To increase security, it may use an application firewall 326 to monitor and filter traffic to protect itself against attacks from malicious users.
  • Different examples of authentication are presented in a logical schematic in FIG. 4. In FIG. 4 (a), the client 240 is sending a request 220 to the web application 218 directly.
  • In FIG. 4 (b), a gateway 217 is used between the client 240 and the web application 218. A gateway is a custom web server module or plug-in created to process requests, and it generally the first point of contact for a web application. The term “gateway” is intended to include any gateways known to a person skilled in the art, for example, CGI; ISAPI for the Microsoft Internet Information Services (IIS) web server; Apache web server module; a servlet gateway; or the like.
  • In FIG. 4 (c), network firewalls 216 are placed in front of the gateway 217 and web application 218 to provide additional network security.
  • As illustrated in FIG. 4 (d) an application firewall 790 is layered on top of an application 218, and performs an analysis of the request 220. If the application 218 is required to authenticate users or needs to check user access control lists, it may use a separate authentication provider 410. The authentication provider 410 may be on a remote system. If an application 218 does not perform the authentication properly, for example, fails to properly check the permission and the capability of the client 240, the application may need to be re-deployed through time-consuming new-releases.
  • In FIG. 4 (e), in accordance with one embodiment of the present invention, an application firewall 790 may be configured to authenticate client requests with an authentication provider 410 independently of the application 218 in cases where the application fails to make the proper checks. In accordance with another embodiment of the present invention, an application firewall 790 may be required to enhance security for multiple applications.
  • Referring to FIGS. 2 and 5, an exemplary web browser 240 with a fill-out form with three text input fields 542, 544, 546 is shown in FIG. 5 a. FIG. 5 b is the corresponding implementation in HTML. From the web application's 218 point of view, the path (e.g. http://www.example.com/cgi-bin/file-query) is defined to be served by a CGI program. Whenever a request 220 to the matching URL is received, the corresponding program (e.g. file-query) is called, with any data that the client sent as input 220C. Output from the program is collected by the web server, augmented with appropriate headers, and sent back 222 to the client.
  • Referring to FIG. 5 b, the FORM tag specifies a fill-out form within an HTML document. The attributes inside the FORM tags may be one, or more than one of ACTION, METHOD. ACTION refers to URL to a query server to which the contents of the form are submitted. METHOD is the method used to submit the fill-out form to a query server, and is either GET or POST.
  • GET is the method wherein the fill-out form contents are sent as part to the URL. When the “SUBMIT” button is pressed, the contents of the form will be assembled into a query URL as shown in FIG. 5C. With the exception of “=” that separate names and values, and “&” that separate name/value pairs, characters such as “=” and “&” inside any of the “name” or “value” pairs will be escaped, and spaces are changed into “+” and some other characters are encoded into hexadecimal.
  • POST is the method that causes the fill-out form contents to be sent to the server in a separate data block. The contents of the form are encoded exactly as with GET, but rather than appending them to the URL specified by the form's ACTION attribute as a query, the contents are sent in a data block as part of the POST operation.
  • Other tags may be nested inside the FORM tag. For example, the INPUT tag is used to specify input elements inside a FORM. It is a standalone tag; it does not surround anything and there is no terminating tag </INPUT>. Different TYPES of INPUT tags are defined as widget elements, and used as attributes to INPUT tag, for example, “text” is used as default for text entry field; “submit” as a push button causing the current form to be packaged up into a query URL and sent to a remote server; “reset” as a push button causing the input elements in the form to be reset to the default values. Other TYPES include: “password” for entering characters displayed as asterisks; “checkbox” for a single toggle button; and “radio” a single toggle button in “one of many” behavior.
  • NAME is the symbolic name, for example “a”, “b” and “c” in FIG. 5B, for the input fields. When the user places data in these items in the form, that information is encoded into the form data. The value each of the input items is given by the user. The NAME attribute is used for assembling query string sent to the remote server when the filled-out form is submitted. Form data is a stream of name=value pairs separated by the character “&”. Each name=value pair is URL encoded, i.e. spaces are changed into “+” and some characters are encoded into hexadecimal.
  • Other attributes for the INPUT tag include VALUE, which is used differently for different types, for example, VALUE may be used to specify the label for the push button types. For a text or password entry field, VALUE may be used to specify the default contents of the field. For a checkbox or a radio button, VALUE may specify the value of the button when it is checked. SIZE; and MAXLENGTH may be used for the physical size and the maximum number of characters for the input fields.
  • Referring to FIGS. 2 and 5, if “888” is typed into the first field, “Main” into the second, and “Admin” into the third, the query that results from this form, after passing the web server 217 may be shown in FIG. 5 c:
  • “file-query?a=888&b=Main&c=admin”
  • Here, each text entry field is given a distinct Name attribute, e.g. “a”, “b”, and “c”. If nothing is typed into any of the fields, the corresponding “name=value” pairs will still be present in the query with the value absent. For example, if “888” is entered into the first field and “admin” into the third, and nothing into the second, the query may look similar to:
  • file-query?a=888&b=&c=admin”.
  • Requests to a web application may also originate from a software development kit, or SDK client, which is a set of development tools that provide an interface to a software application. Using this interface, a software engineer is able to create custom applications. Modern SDKs commonly make use of a set of XML or SOAP messages. Requests to a web application may also originate from an SDK client.
  • Referring to FIG. 6, when user admin 650 log in at a web browser 652, a query 654 is usually sent to the web application, and resulting a display page 656 which is privileged to the user admin. When user John 658 is log in at a web browser 660, he usually receives a different display page 662 after sending a different query 664. However, if John send a query 666 similar to the user administrator's query, maliciously or inadvertently, and the web application does not have the proper access control list, an elevation of privilege takes place, and John may receive the privileged information on the web page 656. An elevation of privilege is the process to get more permission than normally assigned.
  • Once the elevation of privilege is successful, an application firewall may have to block the entire request, until a change can be made at the web application. For large web application, such as a business report engine, the changes can be complex and time consuming.
  • Referring now to FIG. 7, in accordance to one embodiment of the present invention, an application firewall 790 dynamically identifying the permission and capability by checking the rules 718. The rules are independent of the web application and can be updated easily. The application firewall 790 reads the rules to determine whether or not to make an ACL check. The ACL table information may be stored in an authentication provider 410, one example of an authentication provider is a content manager. If the application firewall 790 determines that a check needs to be made, it makes a request 714 to the authentication provider 410. The authentication provider 410 will return 716 whether or not the user has permission to the resource, or the requested capability. The request 710 and response 712 may pass through a web server 710 a, 712 a or directly 710 b, 712 b.
  • As shown in FIG. 7, the “rules based” method and system for checking application access list for rejecting a request now resides in the application firewall. If the web application 218 fails to enforce the permission or capability checks, the rules 718 in the application firewall can easily be updated 720 independently of the web application, for example, by adding new checks without adding code to the web application. The elevation of privilege can therefore be prevented. Similarly, if an application 218 originally interacts with the authentication provider 410 directly, but fails to check the permission or capability properly, based on the analysis of the traffic, the application firewall 790 of the present invention can enforce a rule on the request, check with the authentication provider 410 and provider proper authentication.
  • The term “permission” is intended to include the authorization to use, access, write, read, modify, change, execute, or manipulate an object in the web application. An object may include a file, a directory, a program, a web page, a report or any other means residing in the web application. The term “capability” is intended to include the allowed state of the user to use a feature or access a service provided by the web application.
  • Referring to FIGS. 7 and 8, in accordance with one embodiment of the present invention, the steps of a method to check the permission or capability of a request are described. At step 720, the rules 718 in the application firewall 790 are parsed into a logical format for use in the checking process. The user request is then parsed 822 and validated 824. Each ACL check condition is checked (826) against the current request. Each condition may use a regular expression pattern to define a matching value. A regular expression is generally a string describing or matching a set of strings, according to certain syntax rules. Regular expressions are used to search and manipulate bodies of text based on certain patterns. If there is a match 827, a check is made with the authentication provider on whether the user has permission to execute the request 828. For example, whether the user has the permission to execute a file “a” within the context of the web application. If the check is successful, the next ACL check condition in the list is checked 830.
  • Referring to FIGS. 7 and 9, an example of checking capability in accordance with one embodiment of the present invention is given. This figure provides an example of an access control rule that checks whether a user accessing the system has administration rights. The access control list checking is started by checking the HTTP request METHOD header. The METHOD may be either GET or POST 940. The context being checked at 942 is product specific. At 944 the content is checked. The CONTENT may be an HTTP form or an XML SDK request. Various conditions may be part of the rules 718 in the application firewall 790, for example, whether a “name” parameter is equal to “admin” or “administrator”, and parameter “path” is equal to “portal/admin.html”. The conditions are further specified by an operand for the various variables in the conditions. The operand may be “AND”, “OR”, or “NOT”. The conditions are checked 946. If the parameters in a request match the rules set forth 948, it will then be determined whether the user has the capability, e.g. “canUseAdministrationPortal” 950. The checking the capability step 950 may be performed on a remote system, or using the remote system's ACL.
  • An example for capability check as described above is summarized below:
  • EXAMPLE 1
  • <acl name=“administrationPortal” method=“any”
    context=“any” content=“form”>
    <condition>
    <operand type=“and”>
    <variable name=“name>
    <pattern value=“{circumflex over ( )}(admin|administrator)$”/>
    </variable>
    <variable name=“path”>
    <pattern value=“{circumflex over ( )}portal/admin.html$”/>
    </variable>
    </operand>
    </condition>
    <checks>
    <check>
    <capability value=“canUseAdministrationPortal”/>
    </check>
    </checks>
    </acl>
  • Referring to FIG. 10, the permission to access an object is illustrated. Similar to the capability check, access control list checking is started by checking the METHOD attribute. The METHOD may be either GET or POST 1060. The context being checked at 1062 is product specific. At 1064 the content is checked. The CONTENT may be an HTTP form or an XML SDK request. Various conditions may be part of the rules 718 in the application firewall 790, for example, whether an “action” parameter is equal to “view” The value (e.g. “reportName” parameter) that will become the target of the check may be captured, and stored internally (e.g. as “report”). This value may then be used in the check with the remote system. The conditions are further specified by an operand for the various variables in the conditions. The operand may be “AND”, “OR”, or “NOT”. The conditions are checked 1066. If the parameters in a request match the rules set forth 1068, it will then attempt to determine whether the user has the “read” permission, on the value, e.g. “reportName ” that was captured 1070. The checking the capability step 1070 may be performed on a remote system, or using the remote system's ACL.
  • An example for permission check as described above is summarized below:
  • EXAMPLE 2
  • <acl name=“viewReport” method=“any” context=“any” content=“form”>
    <condition>
    <operand type=“and”>
    <variable name=“action”>
    <pattern value=“{circumflex over ( )}view$”/>
    </variable>
    <variable name=“reportName” captureAs=“report”>
    <pattern value=“{circumflex over ( )}[A-Z]{1,1024}$”/>
    </variable>
    </operand>
    </condition>
    <checks>
    <check>
    <permission value=“view” object=“report”/>
    </check>
    </checks>
    </acl>
  • The invention can be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations thereof. Apparatus of the invention can be implemented in a computer program product tangibly embodied in a machine-readable storage device for execution by a programmable processor; and method actions can be performed by a programmable processor executing a program of instructions to perform functions of the invention by operating on input data and generating output. The invention can be implemented advantageously in one or more computer programs that are executable on a programmable system including at least one programmable processor coupled to receive data and instructions from, and to transmit data and instructions to, a data storage system, at least one input device, and at least one output device. Each computer program can be implemented in a high-level procedural or object oriented programming language, or in assembly or machine language if desired; and in any case, the language can be a compiled or interpreted language. Suitable processors include, by way of example, both general and special purpose microprocessors. Generally, a processor will receive instructions and data from a read-only memory and/or a random access memory. Generally, a computer will include one or more mass storage devices for storing data files. Storage devices suitable for tangibly embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, such as EPROM, EEPROM, and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM disks. Any of the foregoing can be supplemented by, or incorporated in, ASICs (application-specific integrated circuits). Further, a computer data signal representing the software code which may be embedded in a carrier wave may be transmitted via a communication network. Such a computer readable memory and a computer data signal are also within the scope of the present invention, as well as the hardware, software and the combination thereof.
  • The present invention has been described with regard to one or more embodiments. However, it will be apparent to persons skilled in the art that a number of variations and modifications can be made without departing from the scope of the invention as defined in the claims.

Claims (27)

  1. 1. A method of checking an access control list for a web application comprising the steps of:
    a) receiving a request from a web client;
    b) parsing the request to an application firewall; said application firewall having a rule and residing independently of the web application, said rule having syntax to identify a parameter in the request;
    c) checking the received request based on said rule;
    d) allowing the received request passing through the application firewall upon matching the rules; and
    e) checking the access control list with an authentication provider.
  2. 2. The method as claimed in claim 1, wherein the access control list is provided by an independent authentication provider.
  3. 3. The method as claimed in claim 1, wherein the authentication provider is a remote software module.
  4. 4. The method as claimed in claim 1, wherein the authentication provider is a remote system.
  5. 5. The method as claimed in claim 1, wherein the application firewall is operatively responsible for a plurality of web applications.
  6. 6. The method as claimed in claim 1, wherein the syntax is selected from a group consisting of name, operand type; context, method, content, and combination thereof.
  7. 7. The method as claimed in claim 1, wherein the access control list is checked for a user's permission to access an object within a system.
  8. 8. The method as claimed in claim 1, wherein the access control list is checked for a user's capability to access a service provided by a system.
  9. 9. The method as claimed in claim 6, wherein the method is selected from a group consisting of GET or POST.
  10. 10. The method as claimed in claim 6, wherein the content is selected from a group consisting of HTTP encoded form variables, and XML content.
  11. 11. The method as claimed in claim 6, wherein the context is dependent of the web application.
  12. 12. A computer software product for checking an access control list for a web application comprising:
    a memory having microcontroller-readable code embedded therein for checking an access control list for a web application, said code comprising:
    code means for receiving a request from a web client;
    code means for parsing the request to an application firewall, said application firewall having a rule and residing independently of the web application, said rule having syntax to identify a parameter in the request;
    code means for checking the received request based on said rule;
    code means for allowing the received request passing through the application firewall upon matching the rules; and
    code means for checking the access control list with an authentication provider.
  13. 13. The computer software product as claimed in claim 12, wherein the access control list is provided by an independent authentication provider.
  14. 14. The computer software product as claimed in claim 12, wherein the authentication provider is a remote software module.
  15. 15. The computer software product as claimed in claim 12, wherein the authentication provider is a remote system.
  16. 16. The computer software product as claimed in claim 12, wherein the application firewall is operatively responsible for a plurality of web applications.
  17. 17. The computer software product as claimed in claim 12, wherein the syntax is selected from a group consisting of name, operand type; context, method, content, and combination thereof.
  18. 18. The computer software product as claimed in claim 12, wherein the access control list is checked for a user's permission to access an object within a system.
  19. 19. The computer software product as claimed in claim 12, wherein the access control list is checked for a user's capability to access a service provided by a system.
  20. 20. A system for checking an access control list for a web application, comprising:
    means for receiving a request from a web client;
    means for parsing the request to an application firewall, said application firewall having a rule and residing independently of the web application, said rule having syntax to identify a parameter in the request;
    means for checking the received request based on said rule;
    means for allowing the received request passing through the application firewall upon matching the rules; and
    means for checking the access control list with an authentication provider.
  21. 21. The system as claimed in claim 20, wherein the access control list is provided by an independent authentication provider.
  22. 22. The system as claimed in claim 20, wherein the authentication provider is a remote software module.
  23. 23. The system as claimed in claim 20, wherein the authentication provider is a remote system.
  24. 24. The system as claimed in claim 20, wherein the application firewall is operatively responsible for a plurality of web applications.
  25. 25. The system as claimed in claim 20, wherein the syntax is selected from a group consisting of name, operand type; context, method, content, and combination thereof.
  26. 26. The system as claimed in claim 20, wherein the access control list is checked for a user's permission to access an object within a system.
  27. 27. The system as claimed in claim 20, wherein the access control list is checked for a users capability to access a service provided by a system.
US11159928 2005-06-23 2005-06-23 Access control list checking Active 2027-04-27 US7475138B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11159928 US7475138B2 (en) 2005-06-23 2005-06-23 Access control list checking

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11159928 US7475138B2 (en) 2005-06-23 2005-06-23 Access control list checking
US12262661 US7805513B2 (en) 2005-06-23 2008-10-31 Access control list checking

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US12262661 Continuation US7805513B2 (en) 2005-06-23 2008-10-31 Access control list checking

Publications (2)

Publication Number Publication Date
US20060294194A1 true true US20060294194A1 (en) 2006-12-28
US7475138B2 US7475138B2 (en) 2009-01-06

Family

ID=37568888

Family Applications (2)

Application Number Title Priority Date Filing Date
US11159928 Active 2027-04-27 US7475138B2 (en) 2005-06-23 2005-06-23 Access control list checking
US12262661 Active 2025-07-19 US7805513B2 (en) 2005-06-23 2008-10-31 Access control list checking

Family Applications After (1)

Application Number Title Priority Date Filing Date
US12262661 Active 2025-07-19 US7805513B2 (en) 2005-06-23 2008-10-31 Access control list checking

Country Status (1)

Country Link
US (2) US7475138B2 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070174207A1 (en) * 2006-01-26 2007-07-26 Ibm Corporation Method and apparatus for information management and collaborative design
US20070294253A1 (en) * 2006-06-20 2007-12-20 Lyle Strub Secure domain information protection apparatus and methods
WO2009008003A2 (en) * 2007-07-10 2009-01-15 Bhavin Turakhia Method and system for restricting access of one or more users to a service
US20090059952A1 (en) * 2007-08-31 2009-03-05 Nokia Corporation Apparatus and method for managing access to one or more network resources
US20090094688A1 (en) * 2007-10-04 2009-04-09 Cognos Incorporated Method and system for synchronizing user sessions
US20090150592A1 (en) * 2007-12-06 2009-06-11 Kuo Hsiao-Chang Storage device with multiple management identity and management method thereof
US20090157627A1 (en) * 2007-09-28 2009-06-18 Xcerion Ab Network operating system
US20110099482A1 (en) * 2009-10-22 2011-04-28 International Business Machines Corporation Interactive management of web application firewall rules
US20110126281A1 (en) * 2009-11-20 2011-05-26 Nir Ben-Zvi Controlling Resource Access Based on Resource Properties
US20130198828A1 (en) * 2012-01-31 2013-08-01 Eric Addkison Pendergrass Application-access authentication agent
US20170140159A1 (en) * 2015-11-17 2017-05-18 Microsoft Technology Licensing, Llc Access Privilege Analysis for a Securable Asset

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9477820B2 (en) 2003-12-09 2016-10-25 Live Nation Entertainment, Inc. Systems and methods for using unique device identifiers to enhance security
US7475138B2 (en) * 2005-06-23 2009-01-06 International Business Machines Corporation Access control list checking
CA2651543C (en) * 2006-05-09 2016-02-16 Ticketmaster Apparatus for access control and processing
US8510138B2 (en) * 2009-03-06 2013-08-13 Ticketmaster Llc Networked barcode verification system
US9053146B1 (en) 2009-10-16 2015-06-09 Iqor U.S. Inc. Apparatuses, methods and systems for a web access manager
US9098509B1 (en) 2009-10-16 2015-08-04 Iqor Holding Inc., Igor U.S. Inc. Apparatuses, methods and systems for a call restrictor
US9672281B1 (en) 2009-10-16 2017-06-06 Iqor US. Inc. Apparatuses, methods and systems for a call searcher
US8584208B2 (en) * 2009-11-25 2013-11-12 Nokia Corporation Method and apparatus for providing a context resource description language and framework for supporting the same
US9245044B2 (en) * 2010-09-17 2016-01-26 Oracle International Corporation Use of generic universal resource indicators
KR20120083033A (en) * 2011-01-17 2012-07-25 삼성전자주식회사 System and method for supportting qos service of application in wireless communication system
US9485301B2 (en) * 2013-03-15 2016-11-01 Live Nation Entertainment, Inc. Prioritized link establishment for data transfer using task scheduling
US9798892B2 (en) 2013-03-15 2017-10-24 Live Nation Entertainment, Inc. Prioritized link establishment for data transfer using task scheduling
US10104085B2 (en) * 2015-12-07 2018-10-16 International Business Machines Corporation Permission based access control for offloaded services

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030114144A1 (en) * 2001-11-26 2003-06-19 Atsushi Minemura Application authentication system
US20040064721A1 (en) * 2002-09-30 2004-04-01 Microsoft Corporation Securing uniform resource identifier namespaces
US20040193906A1 (en) * 2003-03-24 2004-09-30 Shual Dar Network service security
US20050015674A1 (en) * 2003-07-01 2005-01-20 International Business Machines Corporation Method, apparatus, and program for converting, administering, and maintaining access control lists between differing filesystem types
US20050091068A1 (en) * 2003-10-23 2005-04-28 Sundaresan Ramamoorthy Smart translation of generic configurations
US20060075478A1 (en) * 2004-09-30 2006-04-06 Nortel Networks Limited Method and apparatus for enabling enhanced control of traffic propagation through a network firewall
US7076558B1 (en) * 2002-02-27 2006-07-11 Microsoft Corporation User-centric consent management system and method
US7100195B1 (en) * 1999-07-30 2006-08-29 Accenture Llp Managing user information on an e-commerce system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7509673B2 (en) 2003-06-06 2009-03-24 Microsoft Corporation Multi-layered firewall architecture
US20060041936A1 (en) * 2004-08-19 2006-02-23 International Business Machines Corporation Method and apparatus for graphical presentation of firewall security policy
US7475138B2 (en) * 2005-06-23 2009-01-06 International Business Machines Corporation Access control list checking

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7100195B1 (en) * 1999-07-30 2006-08-29 Accenture Llp Managing user information on an e-commerce system
US20030114144A1 (en) * 2001-11-26 2003-06-19 Atsushi Minemura Application authentication system
US7076558B1 (en) * 2002-02-27 2006-07-11 Microsoft Corporation User-centric consent management system and method
US20040064721A1 (en) * 2002-09-30 2004-04-01 Microsoft Corporation Securing uniform resource identifier namespaces
US20040193906A1 (en) * 2003-03-24 2004-09-30 Shual Dar Network service security
US20050015674A1 (en) * 2003-07-01 2005-01-20 International Business Machines Corporation Method, apparatus, and program for converting, administering, and maintaining access control lists between differing filesystem types
US20050091068A1 (en) * 2003-10-23 2005-04-28 Sundaresan Ramamoorthy Smart translation of generic configurations
US20060075478A1 (en) * 2004-09-30 2006-04-06 Nortel Networks Limited Method and apparatus for enabling enhanced control of traffic propagation through a network firewall

Cited By (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070174207A1 (en) * 2006-01-26 2007-07-26 Ibm Corporation Method and apparatus for information management and collaborative design
US20070294253A1 (en) * 2006-06-20 2007-12-20 Lyle Strub Secure domain information protection apparatus and methods
WO2009008003A3 (en) * 2007-07-10 2010-07-22 Bhavin Turakhia Method and system for restricting access of one or more users to a service
WO2009008003A2 (en) * 2007-07-10 2009-01-15 Bhavin Turakhia Method and system for restricting access of one or more users to a service
US20090059952A1 (en) * 2007-08-31 2009-03-05 Nokia Corporation Apparatus and method for managing access to one or more network resources
WO2009027909A2 (en) * 2007-08-31 2009-03-05 Nokia Corporation Apparatus and method for managing access to one or more network resources
WO2009027909A3 (en) * 2007-08-31 2009-04-30 Dimitris Kalofonos Apparatus and method for managing access to one or more network resources
US8037519B2 (en) 2007-08-31 2011-10-11 Nokia Corporation Apparatus and method for managing access to one or more network resources
US8843942B2 (en) 2007-09-28 2014-09-23 Xcerion Aktiebolag Interpreting semantic application code
US20090171993A1 (en) * 2007-09-28 2009-07-02 Xcerion Ab Network operating system
US9344497B2 (en) 2007-09-28 2016-05-17 Xcerion Aktiebolag State management of applications and data
US20090192969A1 (en) * 2007-09-28 2009-07-30 Xcerion Aktiebolag Network operating system
US20090192992A1 (en) * 2007-09-28 2009-07-30 Xcerion Aktiebolag Network operating system
US20090254610A1 (en) * 2007-09-28 2009-10-08 Xcerion Ab Network operating system
US20090157627A1 (en) * 2007-09-28 2009-06-18 Xcerion Ab Network operating system
US9071623B2 (en) 2007-09-28 2015-06-30 Xcerion Aktiebolag Real-time data sharing
US8156146B2 (en) * 2007-09-28 2012-04-10 Xcerion Aktiebolag Network file system
US9621649B2 (en) 2007-09-28 2017-04-11 Xcerion Aktiebolag Network operating system
US8099671B2 (en) * 2007-09-28 2012-01-17 Xcerion Aktiebolag Opening an application view
US8108426B2 (en) 2007-09-28 2012-01-31 Xcerion Aktiebolag Application and file system hosting framework
US8112460B2 (en) * 2007-09-28 2012-02-07 Xcerion Aktiebolag Framework for applying rules
US8615531B2 (en) 2007-09-28 2013-12-24 Xcerion Aktiebolag Programmatic data manipulation
US8234315B2 (en) * 2007-09-28 2012-07-31 Xcerion Aktiebolag Data source abstraction system and method
US8239511B2 (en) 2007-09-28 2012-08-07 Xcerion Aktiebolag Network operating system
US8280925B2 (en) 2007-09-28 2012-10-02 Xcerion Aktiebolag Resolution of multi-instance application execution
US8996459B2 (en) 2007-09-28 2015-03-31 Xcerion Aktiebolag Offline and/or client-side execution of a network application
US8959123B2 (en) 2007-09-28 2015-02-17 Xcerion Aktiebolag User interface framework
US8620863B2 (en) 2007-09-28 2013-12-31 Xcerion Aktiebolag Message passing in a collaborative environment
US8954526B2 (en) 2007-09-28 2015-02-10 Xcerion Aktiebolag Network operating system
US8688627B2 (en) 2007-09-28 2014-04-01 Xcerion Aktiebolag Transaction propagation in a networking environment
US8738567B2 (en) * 2007-09-28 2014-05-27 Xcerion Aktiebolag Network file system with enhanced collaboration features
US20090172569A1 (en) * 2007-09-28 2009-07-02 Xcerion Ab Network operating system
US20090094688A1 (en) * 2007-10-04 2009-04-09 Cognos Incorporated Method and system for synchronizing user sessions
US8640202B2 (en) 2007-10-04 2014-01-28 International Business Machines Corporation Synchronizing user sessions in a session environment having multiple web services
US20090150592A1 (en) * 2007-12-06 2009-06-11 Kuo Hsiao-Chang Storage device with multiple management identity and management method thereof
US20110099482A1 (en) * 2009-10-22 2011-04-28 International Business Machines Corporation Interactive management of web application firewall rules
US9473457B2 (en) * 2009-10-22 2016-10-18 International Business Machines Corporation Interactive management of web application firewall rules
US9038168B2 (en) * 2009-11-20 2015-05-19 Microsoft Technology Licensing, Llc Controlling resource access based on resource properties
US20110126281A1 (en) * 2009-11-20 2011-05-26 Nir Ben-Zvi Controlling Resource Access Based on Resource Properties
US20130198828A1 (en) * 2012-01-31 2013-08-01 Eric Addkison Pendergrass Application-access authentication agent
US8844015B2 (en) * 2012-01-31 2014-09-23 Hewlett-Packard Development Company, L.P. Application-access authentication agent
US10043018B2 (en) * 2015-11-17 2018-08-07 Microsoft Technology Licensing, Llc Access privilege analysis for a securable asset
US20170140159A1 (en) * 2015-11-17 2017-05-18 Microsoft Technology Licensing, Llc Access Privilege Analysis for a Securable Asset

Also Published As

Publication number Publication date Type
US20090055905A1 (en) 2009-02-26 application
US7475138B2 (en) 2009-01-06 grant
US7805513B2 (en) 2010-09-28 grant

Similar Documents

Publication Publication Date Title
US6311278B1 (en) Method and system for extracting application protocol characteristics
US8166554B2 (en) Secure enterprise network
US8826443B1 (en) Selective removal of protected content from web requests sent to an interactive website
Wang et al. Protection and communication abstractions for web browsers in MashupOS
US7516492B1 (en) Inferring document and content sensitivity from public account accessibility
US7464407B2 (en) Attack defending system and attack defending method
US7523301B2 (en) Inferring content sensitivity from partial content matching
US8370939B2 (en) Protection against malware on web resources
US8266327B2 (en) Identity brokering in a network element
US6687833B1 (en) System and method for providing a network host decoy using a pseudo network protocol stack implementation
US7441265B2 (en) Method and system for session based authorization and access control for networked application objects
US7016964B1 (en) Selectively passing network addresses through a server
US6928487B2 (en) Computer system, method, and business method for automating business-to-business communications
US8370407B1 (en) Systems providing a network resource address reputation service
US20060167975A1 (en) Caching content and state data at a network element
Groß Security analysis of the SAML single sign-on browser/artifact profile
US20060146879A1 (en) Interpreting an application message at a network element using sampling and heuristics
US20110219035A1 (en) Database security via data flow processing
US20010034847A1 (en) Internet/network security method and system for checking security of a client from a remote facility
US20040088409A1 (en) Network architecture using firewalls
US6275937B1 (en) Collaborative server processing of content and meta-information with application to virus checking in a server network
US20110213869A1 (en) Processing data flows with a data flow processor
US8769127B2 (en) Cross-domain solution (CDS) collaborate-access-browse (CAB) and assured file transfer (AFT)
US7185361B1 (en) System, method and computer program product for authenticating users using a lightweight directory access protocol (LDAP) directory server
US20110238855A1 (en) Processing data flows with a data flow processor

Legal Events

Date Code Title Description
AS Assignment

Owner name: COGNOS INCORPORATED, CANADA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GRAVELINE, MARC;VINEY, ULF;MASSON, MATT;REEL/FRAME:016734/0031;SIGNING DATES FROM 20051003 TO 20051013

AS Assignment

Owner name: COGNOS ULC, CANADA

Free format text: CERTIFICATE OF AMALGAMATION;ASSIGNOR:COGNOS INCORPORATED;REEL/FRAME:021387/0813

Effective date: 20080201

Owner name: IBM INTERNATIONAL GROUP BV, NETHERLANDS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:COGNOS ULC;REEL/FRAME:021387/0837

Effective date: 20080703

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:IBM INTERNATIONAL GROUP BV;REEL/FRAME:021398/0001

Effective date: 20080714

Owner name: COGNOS ULC,CANADA

Free format text: CERTIFICATE OF AMALGAMATION;ASSIGNOR:COGNOS INCORPORATED;REEL/FRAME:021387/0813

Effective date: 20080201

Owner name: IBM INTERNATIONAL GROUP BV,NETHERLANDS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:COGNOS ULC;REEL/FRAME:021387/0837

Effective date: 20080703

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION,NEW YO

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:IBM INTERNATIONAL GROUP BV;REEL/FRAME:021398/0001

Effective date: 20080714

FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: PALO ALTO NETWORKS, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTERNATIONAL BUSINESS MACHINES CORPORATION;REEL/FRAME:033983/0262

Effective date: 20140930

FPAY Fee payment

Year of fee payment: 8